One conventional malicious program detection technology collects samples of a malicious program available to date, extracts a certain character string that is the signature of the malicious program, and determines whether a particular computer is infected with the malicious program from the existence of the extracted character string in files of the computer and the like.
Therefore, when a new malicious program is discovered, a detection program must be developed to identify the entity of the new malicious program, extract a predetermined character string that is the signature of the new malicious program, and detect the malicious program. The existing detection program may not detect the new malicious program before information about the malicious program is added; therefore, damages from the new malicious program may not be prevented. Also, the types of character strings that are the signatures of malicious programs increase in proportion to the increase in the types of malicious programs. Therefore, it takes more time for a malicious program detection program to detect the existence of the character string.
For example, in the case of a mobile device that is supplied with power using a battery and the like, such as a mobile phone, a personal digital assistant (PDA), and the like, the mobile device consumes power to extract a character string from a particular computer program and verify whether the extracted character string is the same as a character string corresponding to the signature of a malicious program. Due to the power consumption, power available to run the mobile device is inevitably reduced.
If a hacker's attacks reveal a vulnerability of a computer, a program manufacturer may guard against the hacker's attacks using a patch program associated with the vulnerability. However, there are no distinct solutions for other attacks on the underlying vulnerabilities.
Most malicious programs do not differ from existing malicious programs. Specifically, they are variants of the existing malicious programs. However, in order to detect the variants of the malicious program, a new character string that is extracted from each variant must be used instead of a character string that is extracted from the existing malicious program. Therefore, a plurality of character strings must be provided to detect a plurality of variants, respectively.